HuntingBookmark

Azure sentinel hunting bookmarks audit table

Table attributes

Attribute	Value
Resource types	-
Categories	Security
Solutions	SecurityInsights
Basic log	No
Ingestion-time transformation	Yes
Sample Queries	-

Columns

Column	Type	Description
_BilledSize	real	The record size in bytes
BookmarkId	string	Guid - the bookmark ARM resource name
BookmarkName	string	Bookmark name given by the user
BookmarkType	string	Can be used to mark bookmark origin - currently not used
CreatedBy	string	JSON object with the user who created the bookmark, including: ObjectID, email and name
CreatedTime	datetime	The timestamp of bookmark first creation time
Entities	string	A serialized JSON of entities mapped by this bookmark
EventTime	datetime	The timestamp of the original event that is bookmarked
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
LastUpdatedTime	datetime	The timestamp of bookmark last update time
Notes	string	Notes provided by user
QueryEndTime	datetime	Query time range end time
QueryResultRow	string	JSON object with a single result row of the query
QueryStartTime	datetime	Query time range start time
QueryText	string	Original log analytics query text
_ResourceId	string	A unique identifier for the resource that the record is associated with
SoftDeleted	bool	Was the bookmark deleted by user
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
Tags	string	Comma seperated list of tags provided by user
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The timestamp (UTC) of the log
Type	string
UpdatedBy	string	JSON object with the user who last updated the bookmark, including: ObjectID, email and name